Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/scada/diaenergie_sqli.md
Views: 11788
Vulnerable Application
Vulnerability Description
This module exploits a SQL injection vulnerability in DIAEnergie <= v8.28.0 (CVE-2024-4548).
An unauthenticated remote attacker can exploit this vulnerability to inject an arbitrary script through a SQL injection vulnerability, which can then be executed in the context of NT AUTHORITY\SYSTEM. The vulnerability is within the CEBC service, which listens by default on TCP port 928. It accepts various user-controlled data, including RecalculateHDMWYC messages, which are insufficiently validated before using them as part of a SQL query.
Versions <= 1.10.1.8610 are affected. Tenable published TRA-2024-13 to cover the security issues.
Vulnerable Application Installation
A trial version of the software can be obtained from [the vendor] (https://downloadcenter.deltaww.com/downloadCenterCounter.aspx?DID=39969&DocPath=1&hl=en-US). For the product to work correctly, SQL Server (e.g., SQL Server Express) needs to be installed.
Successfully tested on
DIAEnergie v1.10 on Windows 10 22H2
DIAEnergie v1.9 on Windows 10 22H2
Verification Steps
Install the SQL Server (Express)
Install DIAEnergie
Start
msfconsoleand run the following commands:
You should get a meterpreter session in the context of NT AUTHORITY\SYSTEM.
Scenarios
Running the exploit against DIAEnergie v1.10 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the following: